Buenaventura has a risk-based cybersecurity program supported by an assessment and estimation of the maturity level according to the controls within the NIST CSF. As part of the program outcome, a corporate strategy has been designed based on four core pillars to cover the main cybersecurity capabilities that need to be addressed in the current cyber threat scenario: Improvement of cybersecurity governance, continuous risk management, strengthening of a cybersecurity culture, and, finally, a cybersecurity strategy that allows for the reinforcing of the protection of critical assets and improvement detection and response capabilities in the face of cyber incidents.

​

It should be noted that, as part of this program, an update of the maturity level assessment is performed on a periodic basis and a specialized supplier is requested to provide a third-party view of the evolution of the program and the strategy.

​

Likewise, for each pillar, a series of measures and controls has been established so as to improve the level of protection against cyber threats, as well as to maintain an adequate management of the cybersecurity program and strategy within the organization. Some of the capabilities currently in place are detailed below:

​

In order to improve cybersecurity governance, a general information policy for security and cybersecurity and a policy manual have been established as the general framework for the protection of the organization’s assets, safeguarding asset confidentiality, integrity and availability and ensuring the trust of key stakeholders. There is a procedure for the identification and classification of information assets.

​

The operational cybersecurity risks that threaten the company are detected through an external consultancy. Based on the SWOT analysis, impact and probability, three macro cybersecurity risks were detected. A roadmap was created to address each risk and thus mitigate the impact on our information and operations.

​

Regarding the cybersecurity culture, an information security and cybersecurity awareness plan has been established, where the activities to be executed as part of the training and awareness of Buenaventura employees and suppliers have been formalized. Likewise, social engineering tests are periodically performed in order to evaluate employees’ capabilities to detect and report potential cyber threats that could compromise the critical assets of the organization.

​

As part of the cybersecurity strategy implemented in the Company, the protection of critical assets has been reinforced, and various cybersecurity solutions and products have been implemented both externally and internally to improve Buenaventura’s capabilities to prevent, detect, and minimize the impact of any cyber incident or threat. Finally, as part of the improvement of capabilities, a cybersecurity operations center (SOC) has been implemented to monitor and manage cybersecurity alerts for Buenaventura’s network and infrastructure in order early detect potential threats. Likewise, a general cyber incident response plan has been designed together with a series of operating procedures for the main types of threats according to the current scenario that lay the basis for an adequate and effective response to a cyber incident in order to minimize the impact it could generate. Finally, we have a disaster recovery procedure under continuous review and annual testing.